MetaMask 2FA Phishing Steals 12‑Word Seed Phrases

A widespread phishing campaign is impersonating MetaMask to trick users into revealing their 12‑word recovery (seed) phrases by presenting fake two‑factor authentication (2FA) prompts. Attackers send emails or direct links to cloned domains that mimic MetaMask’s interface and display urgent security warnings urging users to “Enable 2FA Now.” The fraudulent pages use countdown timers and credibility checks to pressure victims into entering their seed phrase; once submitted attackers can immediately import the wallet and drain funds. Blockchain security firm SlowMist’s chief security officer (23pds) publicly flagged the campaign on January 5, 2026. MetaMask’s large user base (100M+ annual users) and extensive dApp connections make it a frequent impersonation target. The later reporting reinforces earlier alerts and adds emphasis on social‑engineering features (timers, fake checks) used to increase conversion. Key trader takeaways: never enter seed phrases or follow unsolicited 2FA links, verify domain names and extension sources, prefer hardware wallets or verified wallet managers, and expect phishing‑related outflows and wallet drains to rise during periods of heightened market activity. Primary keywords: MetaMask, phishing, seed phrase, wallet security, 2FA.
Bearish
This news is bearish for MetaMask‑related on‑chain activity and short‑term token sentiment tied to the platform because successful seed‑phrase thefts directly remove liquidity from user wallets and increase sell pressure as attackers liquidate stolen assets. The campaign raises immediate custodial risk and can prompt users to withdraw funds to cold storage, reducing on‑platform activity. In the short term expect episodic outflows and possible increased volatility for assets commonly held by retail MetaMask users during spikes in phishing campaigns or market activity. In the longer term the story may drive higher demand for hardware wallets and curated wallet services, improving security posture and lowering risk exposure; that could stabilize activity but not fully reverse near‑term selling by attackers. Overall the direct price impact is negative for assets most exposed to retail MetaMask holdings while broader market effects remain limited unless the campaign scales dramatically.